Re: [psad-discuss] Confusing alert from Psad
On Oct 29, 2013, Muhammad Yousuf Khan wrote: > [cut] > >psad offers scan detection that is beyond what can be expressed within > > > the signature set. The NULL scan detection message was generated from > > the non-signature portion of psad. > > > > > actually i like the way it worked, it clear lots of my IDS/IPS concepts. so > i like to read it more in dept. > > E.g like there is a signature file in psad directory. i saw the patterns of > signatures, how it detect the packet from the log. is there any file where > i can see those extra patterns for non signature detection. Non-signature detection is implemented in code. Actually signature detection is implemented in code too - you can think of each signature as a highly expressive "configuration" for how the code treats incoming data. When the signature language does not support something that is useful for attack detection, it becomes a choice as to whether it is worth trying to extend the signature language itself or write code to support better detection without modifying the language. Depending on how deep you want to go, it is probably worth starting with going through all of the psad.conf variables and associated comments, and from there taking a look at the psad code itself. --Mike > > > why Null scan didn't showed the signature against which this alert > > > triggered. > > > > Having said the above, there is also a NULL scan signature that appears > > not to have fired, and I believe this is a minor bug that will be > > corrected in the next version. > > > > yes, i observe that too, there was a Null signature which hasn't been > trigger. no problem i am fine as far as it is detecting, one way or another. > > > > > Thanks, > > > > --Mike > > > -- > Android is increasing in popularity, but the open development platform that > developers love is also attractive to malware creators. Download this white > paper to learn more about secure code signing practices that can help keep > Android apps secure. > http://pubads.g.doubleclick.net/gampad/clk?id=65839951&iu=/4140/ostg.clktrk > ___ > psad-discuss mailing list > psad-discuss@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/psad-discuss -- Android is increasing in popularity, but the open development platform that developers love is also attractive to malware creators. Download this white paper to learn more about secure code signing practices that can help keep Android apps secure. http://pubads.g.doubleclick.net/gampad/clk?id=65839951&iu=/4140/ostg.clktrk ___ psad-discuss mailing list psad-discuss@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/psad-discuss
Re: [psad-discuss] Confusing alert from Psad
[cut] >psad offers scan detection that is beyond what can be expressed within > the signature set. The NULL scan detection message was generated from > the non-signature portion of psad. > > actually i like the way it worked, it clear lots of my IDS/IPS concepts. so i like to read it more in dept. E.g like there is a signature file in psad directory. i saw the patterns of signatures, how it detect the packet from the log. is there any file where i can see those extra patterns for non signature detection. > > why Null scan didn't showed the signature against which this alert > > triggered. > > Having said the above, there is also a NULL scan signature that appears > not to have fired, and I believe this is a minor bug that will be > corrected in the next version. > yes, i observe that too, there was a Null signature which hasn't been trigger. no problem i am fine as far as it is detecting, one way or another. > > Thanks, > > --Mike > -- Android is increasing in popularity, but the open development platform that developers love is also attractive to malware creators. Download this white paper to learn more about secure code signing practices that can help keep Android apps secure. http://pubads.g.doubleclick.net/gampad/clk?id=65839951&iu=/4140/ostg.clktrk___ psad-discuss mailing list psad-discuss@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/psad-discuss
Re: [psad-discuss] Confusing alert from Psad
On Oct 28, 2013, Muhammad Yousuf Khan wrote: > i am using nmap for scanning NULL and XMAS > > here is the log > > > XMAS log: > > src: 10.x.x.17 signature match: "SCAN nmap XMAS" (sid: 1228) tcp port: 765 > Oct 28 21:03:38 firewall > psad: scan detected: 10.x.x.17 -> 10.x.x.22 tcp: [1-65389] flags: URG PSH > FIN tcp pkts: 2000 DL: 5 > > > Null Scan log: > psad: scan detected: 10.x.x.17 -> 10.x.x.22 tcp: [1-65389] flags: NULL tcp > pkts: 1990 DL: 5 psad offers scan detection that is beyond what can be expressed within the signature set. The NULL scan detection message was generated from the non-signature portion of psad. > why Null scan didn't showed the signature against which this alert > triggered. Having said the above, there is also a NULL scan signature that appears not to have fired, and I believe this is a minor bug that will be corrected in the next version. Thanks, --Mike > Thanks, > > MYK -- Android is increasing in popularity, but the open development platform that developers love is also attractive to malware creators. Download this white paper to learn more about secure code signing practices that can help keep Android apps secure. http://pubads.g.doubleclick.net/gampad/clk?id=65839951&iu=/4140/ostg.clktrk ___ psad-discuss mailing list psad-discuss@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/psad-discuss
